Teach SSLHostStateDelegate about subresources with cert errors

content/public/browser/ssl_host_state_delegate.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_PUBLIC_BROWSER_SSL_HOST_STATE_DELEGATE_H_
 #define CONTENT_PUBLIC_BROWSER_SSL_HOST_STATE_DELEGATE_H_
 
 #include <memory>
 
 #include "base/memory/ref_counted.h"
@@ skipping 13 matching lines @@
 // strategy for certificate decisions or it may be left unimplemented to use a
 // default strategy of not remembering decisions at all.
 class SSLHostStateDelegate {
  public:
   // The judgements that can be reached by a user for invalid certificates.
   enum CertJudgment {
     DENIED,
     ALLOWED
   };
 
+  // The types of nonsecure subresources that this class keeps track of.
+  enum InsecureContentType {
+    // A  MIXED subresource was loaded over HTTP on an HTTPS page.
+    MIXED_CONTENT,
+    // A CERT_ERRORS subresource was loaded over HTTPS with certificate
+    // errors on an HTTPS page.
+    CERT_ERRORS_CONTENT,
+  };
+
   // Records that |cert| is permitted to be used for |host| in the future, for
   // a specified |error| type.
   virtual void AllowCert(const std::string&,
                          const net::X509Certificate& cert,
                          net::CertStatus error) = 0;
 
   // Clear all allow preferences.
   virtual void Clear() = 0;
 
   // Queries whether |cert| is allowed for |host| and |error|. Returns true in
   // |expired_previous_decision| if a previous user decision expired immediately
   // prior to this query, otherwise false.
   virtual CertJudgment QueryPolicy(const std::string& host,
                                    const net::X509Certificate& cert,
                                    net::CertStatus error,
                                    bool* expired_previous_decision) = 0;
 
-  // Records that a host has run insecure content.
-  virtual void HostRanInsecureContent(const std::string& host, int pid) = 0;
+  // Records that a host has run insecure content of the given |content_type|.
+  virtual void HostRanInsecureContent(const std::string& host,
+                                      int pid,

[jam, 2016/08/11 19:53:13]

nit: (in a followup if you agree), I just noticed that this code says "pid"
which is a bit misleading. the id here is usually called child_id in interfaces,
as opposed to a pid, because it's not the OS' process ID. it's chrome's unique
ID per process (i.e.
https://cs.chromium.org/chromium/src/content/public/browser/render_process_ho...)

[estark, 2016/08/11 20:58:38]

That sounds reasonable, I will file a bug to come back and clean this up as soon
as I stop getting 500s from monorail :)

+                                      InsecureContentType content_type) = 0;
 
-  // Returns whether the specified host ran insecure content.
-  virtual bool DidHostRunInsecureContent(const std::string& host,
-                                         int pid) const = 0;
+  // Returns whether the specified host ran insecure content of the given
+  // |content_type|.
+  virtual bool DidHostRunInsecureContent(
+      const std::string& host,
+      int pid,
+      InsecureContentType content_type) const = 0;
 
   // Revokes all SSL certificate error allow exceptions made by the user for
   // |host|.
   virtual void RevokeUserAllowExceptions(const std::string& host) = 0;
 
   // Returns whether the user has allowed a certificate error exception for
   // |host|. This does not mean that *all* certificate errors are allowed, just
   // that there exists an exception. To see if a particular certificate and
   // error combination exception is allowed, use QueryPolicy().
   virtual bool HasAllowException(const std::string& host) const = 0;
 
  protected:
   virtual ~SSLHostStateDelegate() {}
 };
 
 }  // namespace content
 
 #endif  // CONTENT_PUBLIC_BROWSER_SSL_HOST_STATE_DELEGATE_H_